Password manager LastPass has released an update last week to fix a security bug that exposes credentials entered on a previously visited site.
Tavis Ormandy, a security researcher with Project Zero, Google’s elite security and bug-hunting team has found the bug last month.
LastPass, which is the most popular password manager app fixed the reported issue in its latest version 4.33.0, that was released on September 12.
Those users who have not enabled an auto-update mechanism for their LastPass browser extensions or mobile apps, are recommended to update it manual at the earliest.
Ormandy has published the details regarding the security flaw he discovered and the bug report can help an attacker through the steps necessary to reproduce the bug.
The attackers can attract the users on malicious pages and exploit the vulnerability to extract the credentials entered on previously-visited sites. According to the researcher it is an easy task for an attacker as they could easily disguise a malicious link behind a Google Translate URL, trick users into visiting the link, and then extract credentials from a previously visited site.
Even though it doesn’t work for all URLs the bug was of High severity.
The vulnerability was discovered and then privately reported by Google and so it is believed that the bug was not exploited in the wild.
Like any other applications, password managers are also sometimes vulnerable to bugs, which are usually fixed eventually.
Despite this vulnerability, users are still advised to use a password manager whenever they can. It is always best to use one as it is many times better than leaving passwords stored inside a browser, from where they can be easily extracted by forensic tools and malware.